W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: Password generation classes

From: John Wong <gokoproject@gmail.com>
Date: Wed, 30 Sep 2015 11:47:01 -0400
Message-ID: <CACCLA54UuuXdPXmy5wCFqdy5P0x0SLSVEyUOm=Raj00wV+n2bA@mail.gmail.com>
To: Jonathan Kingston <jonathan@jooped.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Sep 30, 2015 at 5:57 AM, Jonathan Kingston <jonathan@jooped.com>
> The credential manager would also have the ability to inform users of
> applications using weak credentials for longer time periods than suggested.
> ---
> This might for example look like:
> navigator.credentials.get({ "password": true, credentialClass: 2 })
> A application would inform the credential manager what class of credential
> they require, this prevents the credential manager sending things that the
> app can't cope with however also prevents the site making bad choices.

This is where confuses me, and excuse if it is clear to others. How should
CM prevent the site from making bad choices?
I think the first part is like handshake where we exchange, negotiate and
agree upon something. But maybe we have to be careful with negotiation - if
WG says these are the only classes UA supports. At least there should be an
option in the browser to bypass the negotiation so it makes testing easy
(maybe I want to test weak password).

Received on Wednesday, 30 September 2015 15:47:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC